Make WordPress Core

Opened 15 years ago

Closed 12 years ago

#11695 closed defect (bug) (worksforme)

Comments on private posts can be view by anyone via RSS

Reported by: palotasb's profile palotasb Owned by:
Milestone: Priority: high
Severity: normal Version:
Component: Comments Keywords: has-patch needs-testing
Focuses: Cc:

Description

If you consider that comments on a private post can contain confidential information, this is a security bug or privacy/information disclosure vulnerability.

To reproduce, create a private post and try to view the post's comment feed after you've logged out. You can see the comments, but you shouldn't.

A temporary solution is to install the plugin I've attached to this ticket, but the real solution is to modify core files.

Attachments (3)

comment-rss-security.php (989 bytes) - added by palotasb 15 years ago.
Plugin replaces the content of comments on private posts with the text ("Enter your password to view comments").
11695.diff (590 bytes) - added by blepoxp 14 years ago.
Intercepts inside do_feed() function
11695-2.diff (593 bytes) - added by sillybean 14 years ago.
Updated for revision 17246

Download all attachments as: .zip

Change History (16)

@palotasb
15 years ago

Plugin replaces the content of comments on private posts with the text ("Enter your password to view comments").

#1 @nacin
15 years ago

There's also a URL parameter that converts it from a comments feed to a single post feed, so the post is probably accessible as well here.

#2 @Denis-de-Bernardy
15 years ago

I suggest we change this ticket's reporting, and switch it to: drop private posts support in core, and make it plugin material. In addition to the performance problem that private posts cause, there are just so many tickets related to viewing private posts or a private post's comments by users who shouldn't be able to.

#3 @scribu
15 years ago

Denis, I've learned from previous experiences that hijacking tickets like that isn't a good ideea.

You should create a new ticket with your proposal and reference all the other tickets you mentioned, including this one.

#4 @scribu
15 years ago

  • Milestone changed from Unassigned to Future Release

#5 @Denis-de-Bernardy
15 years ago

you're very right. sorry 'bout that. :-)

#11697

#6 @Denis-de-Bernardy
15 years ago

  • Keywords bug-hunt added

#7 @Denis-de-Bernardy
15 years ago

  • Keywords featured added; bug-hunt removed

#8 @blepoxp
14 years ago

  • Keywords has-patch dev-feedback added

Is this still an active ticket? I've attached a solution that intercepts at the do_action function.
My initial thought was to modify inside query.php, which I was able to do successfully - suppressing all comments from being printed, but the post Title was still displayed in the RSS feed header.

I looked at several different places to insert code like this and do_feed seemed like the best solution. Thoughts?

@blepoxp
14 years ago

Intercepts inside do_feed() function

#9 @scribu
14 years ago

  • Keywords needs-testing added; dev-feedback removed

Looks good.

@sillybean
14 years ago

Updated for revision 17246

#10 @sillybean
14 years ago

Tested, looks great. Refreshed the patch.

#11 @nacin
14 years ago

We need to pull in the queried object's post type and do cap->read_private_posts, rather than a raw cap check.

#12 @obenland
12 years ago

Is this bug still occurring?

I just tested it with private and password protected posts. Private posts comment feed returned 404, on password protected posts the comment content was hidden with the notification message to enter the password.

#13 @SergeyBiryukov
12 years ago

  • Keywords featured removed
  • Milestone Future Release deleted
  • Resolution set to worksforme
  • Status changed from new to closed

I could not reproduce this using the steps provided in the description neither in 2.8 or 2.9 (when the ticket was created), nor in current trunk.

When a logged out user tries to view a private post's comment feed, $wp_query->posts is set to an empty array due to the check in get_posts():
http://core.trac.wordpress.org/browser/tags/3.4.1/wp-includes/query.php#L2674

handle_404() then issues a 404 error:
http://core.trac.wordpress.org/browser/tags/3.4.1/wp-includes/class-wp.php#L463

Feel free to reopen with more information if there's still a problem.

Note: See TracTickets for help on using tickets.